While this subject has been presented often on several popular blogs and popular webpages, I hope to make a focus on the use of privacy tools/mechanisms specifically tailored in a way to be used by journalists. Having said that, this is not limited to investigative journalists. These practices and methods should be encouraged for journos of all fields. You might all find yourselves needing them someday. After all, technology exponentially changes and malicious attacks including surveillance on writers increases at a seemingly similar rate.

In this all-encompassing digital age, you might think it surprising that journalists and members of the media through-out the world still don’t have a near-legitimate knowledge of everyday electronic security practices. The fact is that there are many safeguards that journalists and their publications can and absolutely should be taking, but are not. Many of these safeguards are very easily implemented, and can be a big step forward in preventing digital attacks. Some take more time and configuration, but are worth learning under conditions where things like surveillance and other threats against journalists are commonplace. Regardless, all security tactics should be considered and taken seriously.

Survey Results from Journalists in Pakistan, from the ‘Digital Security and Journalists’ report by ICI&L and Bytes for All (May 2013)

The first step in keeping your information and communications safe is understanding the environment in which you are working. Your identity or the identity of a source can easily be exposed by digital identifiers such as your IP Address, Mac Address, Geo-location data, Network packets and other metadata. As we gain a clearer image of how surveillance and targeted tampering work, we can understand the tools and skills we need in order to do everything to avoid it.

__________

A THREAT MODEL:

As a journalist, there are many who would go out of their way to thwart your endeavors. There are also many reasons why this might happen. From the hacker who’s just trying to gain some points and make a name for himself, to the paid agent who desires something much more harmful, it can happen on a large scale and frequently. Journalists and bloggers across the globe are having their digital habits exploited, tapped, and monitored. Even groups dedicated to protecting the rights and safety of journalists have become targets. While this seems like something limited to small publications or journalists and bloggers in the Eastern side of the globe, it has also aggressively become a serious issue in some of the world’s biggest news companies. No, it really has, to notable organizations such as the Associated Press of Fox News.

One of the first steps of threat modeling will be figuring out which data in particular (from executable files to communications) you need to keep safe. Obviously, your sources are a key point in this model. You need to make sure you have any communications methods, logs, files exchanged, and metadata involved locked away (and/or eventually purged) from any unwarranted eyes to see. There is also all of your writing and other work that you will eventually publish. You obviously don’t want that falling in the wrong hands, or even corrupted on your own system. Then there is the address books and personal information of yourself and others, ranging from email address contacts to actual business/home addresses. If these are exposed, yourself and the people you have worked with can be directly targeted. While there are probably many more items you can think of, this will give you an idea of understanding what you have to manage and how important it is to do it in a secure manner.

The second step of your threat modeling will be understanding and analyzing who your adversaries might be and how they might go after you. As we mentioned earlier, journalists are a prime target to several different types of malicious actors. While low-key individuals should stand as a concern, depending on where you are practicing acts of journalism, you will have a lot more to worry about, especially if you are living in a country where journalists are considered a threat to be dealt with by the government and other agencies.

Depending on who is going after you in the internet of things, they are going to have at least a good enough knowledge of how to gain control of what you posses through technological capabilities. While there are a vast amount of different ways an attacker can hack your site, deface your blog, steal your passwords, or even gain access to your electronic devices, I will be limiting the threats in this post to ones that are more commonly used (for the sake of brevity).

Malicious software, or Malware, is a broad term for an infection or disruption tool used to attack either a single computer or group of devices. There are many different attacks done through several different types of malware software. Here is a list of the more popular forms of malware (with corresponding wiki-page hyperlinks for broader explanations):

Phew. Quite a scary list, no? Perhaps scarier is these ease of attacks needed to carry out most of these infections. Most computer viruses can be disguised as a seemingly benign piece of downloadable software or embedded in a file, such as an email attachment.

Spyware is a good example of this. These are often loaded in with freeware and other downloaded software. If I had any faith at all in the antivirus software you may have installed on your machine (I don’t), I’d say set to scan everything and anything you download by default, or at least scan things you download from untrusted sources before opening or running them. The key here is to be very careful what you download or choose to open period, but we will go over this more later.

Rootkits can (and will, more often than not) make themselves VERY hard to detect. So much that it will commonly be to a level of stealthiness where your operating system will not show them to you. They are also capable of compromise the operating system kernel, altering any application that asks to find it so that it prevents itself to show it.

Keyloggers are a popular tool for a more dragnet attack. Once a keylogger is installed on an individual’s computer, every letter they type can be recorded by the software. This is something that can either be retrieved later by the person who planted the keylogger (physically or digitally) or the information can even be broadcast live or shortly after it is keyed, if the keylogger includes a code to connect out from a wireless network. There have been instances where physical keyloggers have been planted on computers belonging to stores, banks and other buildings holding delicate personal information. There is a potential for this to happen in a journalistic environment, such as a publication’s headquarters. Audits of computer hardware come in handy for preventing this particular issue, even though it may be a rare one. It should be known that these devices are easily and cheaply purchased online.

Phishing attacks are arguably the most popular way in which assailants will steal digital information from journalists and their publications, or simply gain control of their website. Just this year there have been several instances of phishing being used against notable journalist organizations, including the New York Times. Phishing is technically a social engineering tactic (we will cover this shortly), where an individual will attempt to trick you in clicking a link contained in an email or on a website in order to lead you to a site or domain where you will be infected (usually with the malware of their choice). Keep in mind that there are many different types of phishing attacks, so you should be ever-vigilant in clicking on links contained within your emails and websites you visit.

Another extremely popular attack that is more and more commonly used to intercept communications is a Man-In-The Middle attack, or MitM. These particular hacks allow the hacker to eavesdrop on a communication between two or more individuals, an investigative journalist and their source, for example. In most cases, not only is the attacker able to view the messages, images, and even files that these individuals are sending to each other, but they are also able to intercept communications sent from either side and replace them with a message/image/file of their own choosing. (examples include ARP Spoofing and ARP Cache Spoofing) Going through with a MitM attack can now be done with great ease thanks to freely available systems with pre-installed hacking software. Basically, a simple way to put it, is anyone with access to your ‘transfer medium’ and the means to crack its security (if it has any set up) can possibly perform a MitM attack on your digital traffic. Below is an example of a MitM attack using Ettercap, available for several versions of linux operating systems:

Now imagine instead of watching a YouTube video of everyone’s favorite pop song, you’re watching a video that your source sent you, something much more sensitive. The person snooping on your network traffic has that video too now, and any other raw visual media you have been receiving, sending, or playing on your computer.

Lastly, there is something known as a Remote Access Tool, or RAT. A RAT is a very frequently used type of software that can exploit your system in order to give the sender of the RAT access to practically anything you might be doing. Here are some of the capabilities a RAT that’s successfully been launched on your computer might give the person(s) controlling it:

And if you think that’s bad, RAT Trojan horses can be an even bigger mess. Deployment of a RAT is commonly done through many of the previously mentioned methods, including (but not limited to) phishing and MitM attacks. Again, always be very skeptical of documents and other attachments/links people (especially people you do not trust) send you before opening them.

There are also several different types of attacks on your personal data that can be accomplished without an internet connection as a tool. Say someone steals your laptop. Good thing that your operating system’s user account is password protected, right? Well, not necessarily. Easily obtained passwordcrackingprograms will allow the thief to crack your password and have free reign in your user account. Well, good thing you compressed your actually important files in password protected .zip files. Hope the culprit enjoys the several unimportant songs and pictures of your dog you have stored on there, right? There are still several ways that an attacker who has your laptop can break into your password protected files that have weak encryption schemes (even using the same programs they used to get your user account password).

There are even less technologically inclined tactics that date much further back then the rapid-fire password crackers of today. One of the more popular tactics is what’s known as social engineering. Chances are, whether you know of the term or not, you’ve heard a story at some point of someone getting scammed because of this. Often someone who is looking to steal information from a victim will find their phone number or email address and contact them, usually pretending to be someone else,telling them there is an issue with an account they have. They will likely make it sound very serious and legitimate, and at some point, they will ask you for your password information. Do not EVER give ANYONE ANY of your personal passwords for ANYTHING. I will come back to this a few times through out this post, only because it has been the downfall of so many people through decades.

PROTECTION:

Now that you’ve been thoroughly spooked by malicious technology, we can begin talking about how you can protect yourself from these horrible things. In terms of keeping your computer safe and clean, there is a common approach to have: “Prevention, detection, removal.” The first line of defense is always to use tools for protection to prevent anything nasty to make its way onto your machine. Use them constantly. If, by some slight of hand or leak in your defenses, your machine becomes infected, these tools will most likely also be able to tell you this has occurred. It will detect the threat, and hopefully give you a means to remove what’s causing it.

If it isn’t already obvious, you’ll absolutely need a (multiple, really) safeguard against malicious files and activity for your operating system. There are many antivirus programs (including open source options) out there, many of them available for free, that will work with your configured operating system. It must be understood, however, that while a lot of antivirus programs will try and convince you that they offer “system-wide” protection, this is hardly the truth. A common practice of almost all antivirus software is to check files against a list of predetermined viruses, and needing to update (frequently not quickly enough) after new virus discoveries have been made by the information security community. Do not rely much on antivirus software.

It is of utmost important to be constantly vigilant in protecting your network packets. These normally visible to anyone who has access to and is sniffing the traffic on your network. They not only detail the IP Address of your machine but also the IP Address of the machine the packet is heading to. To make matters worse in a bad situation, a snooper can look into the packet too, due to the fact that they are too commonly in plaintext, or unaltered raw/insecure text. Knowing this, snoopers and sniffers can have the content of the packets as well (which detail your conversations).

This is where a Firewall comes in as an essential defense. Firewalls will essentially monitor and control both incoming and outgoing packets to ensure that nothing malicious is coming in or going out. It does this by carefully analyzing the packets based on a set of rules. If you are a journalist or blogger, you absolutely SHOULD use a personal firewall for your computer. Really, everyone should make sure to have one implemented, but there is no excuse for not having one as someone who’s profession constantly requires them to be communicating with volatile sources and distributing important information through digital platforms on a daily basis. Here is a comprehensive list of personal firewalls, many of them available for free. Please read carefully and configure one on your device as soon as you can (if you already haven’t).

There are several other programs that work very well in providing you defense against these threats besides antivirus and firewall software. One of my favorite tools available for free (WIndows compatible) is Spybot Search & Destroy (commonly referred to as ‘S&D’). S&D is very well known in the realm of spyware and adware removal. If at some point you are infected by malware, S&D is a good resource that you should download onto a USB from another uninfected computer and run in safe mode on your infected machine.

Sometimes your computer will become infected beyond a point where your antivirus or S&D will not be able to rid the root of the cause. One of these cases might be an elusive rootkit infection. Luckily, there are tools available outside of standard virus protection that you can use to try and eliminate the issue. One such tool available for Windows users is known as Rootkit Revealer. This is part of the Windows Systernals utilities collection, a very useful bunch of executables for administration. Another tool available for getting rid of rootkits is F-Secure’s Blacklight. Using either or both of these should be to your advantage if you ever have the misfortune to be dealing with a deep infection via rootkit.

One very interesting “prevention”-focused program I’ve ran across is called Sandboxie. The people who developed this piece of software took the “trust no one” mentality seriously.

Quick visual explanation of how Sandboxie works.Benefits of the Isolated Sandbox

There are many practical uses for Sandboxie within your operating system, as listed on the program’s homepage:

Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded easily.

Say an alleged source sends you a file. You doubt the validity of the source, and think that the file sent might not actually be a juicy tip, but instead a piece of malware hellbent on creating chaos on your machine and the network its connected to. You could run the file through Sandboxie first to see what happens, without having it access any crucial components of your system. If something funky does result from opening the file, it will be restricted to the sandbox and the rest of your system will be safe.

As mentioned in the bullet points, this also serves as a piece of software to keep you safe from infections while browsing the internet. Just open up your browser within Sandboxie and you’re that much safer.

This same tactic can be used within a virtual machine (VM), but keep in mind they are handled a little different and a sandbox applications such as Sandboxie. They are also much more complex. Here is a good run through (with graphics) of the differences between a sandbox and VM. We’ll be looking at a couple operating systems that rely on virtual machines for security purposes later, so hold off on thinking too much about this for now.

SOFTWARE & HARDWARE HABITS:

It is very important to keep tabs on the software you are using, as well as to be cautious while downloading any new software that you may not be too familiar with.

Perhaps the most crucial habit I can think of in terms of keeping your system and the software you use on it smore secure is to ALWAYS keep things up to date. The next time Windows, OSX, or your favorite linux distribution informs you that your system has new updates that need to be installed, please update. Having software outdated in terms of the latest securty updates and patches for known vulnerabilities is having and insecure software. This especially applies to your operating system.

A very important way you can attempt to ensure that pieces of software you’ve just downloaded are what they claim to be (and haven’t been tampered with) is by verifying their individual digital signatures.

Digital signatures – or checksums – are unique identifiers created to serve as proof that a file has not been corrupted or duplicated and changed since its creation and hosting. In other words, it serves an indicator of authenticity. An official website will often provide what the checksum of a file they host should be on the page it is downloaded from, and then ask you to verify the file once it has been downloaded to make sure its checksum matches the one provided on the webpage. Doing this within Windows will require you to use the Microsoft File Checksum Integrity Verifier which can be executed through your command line as the following example shows

This can also be done through Macintosh by using these steps in the operating system’s terminal. It’s applied similarly for Linux users. If you find these tools too complicated or wish to use some other ones for any reason, here is a list of other tools to use with checksums.

When it comes to hardware, you could argue that there are less holes for snoops are hackers to get through, but that doesn’t mean that its anywhere near impervious. A Kernel Level Rootkit can give someone deep control of your machine, leaving essential hardware on your computer in another’s hands. An even more likely scenario is attackers using your router as a target. This way, your packets can be very easily intercepted and logged by an adversary.

For both software and hardware maintenance, a good method to keep in mind is hardening. We can think of hardening as a type of auditing for the software and hardware you will be using. Depending on how vulnerable you feel after understanding the risks of using a program, computer, or network, you may find it to your advantage to remove certain digital (or even physical) components that are unnecessary. This is not limited to removing components, however. Hardening can also be achieved by implementing safeguards such as a firewall and intrusion detection systems.

In terms of hardening with hardware, one of the more essential places to start is with your router. While working from home or a location where you are using a personal router, there are a few steps you can take to make it harder for an attack to reach/breach you through your network connection. A good place to start is to ensure that your wireless connection is password authenticated. This is very easy to set up with practically any router. Through time, it has become evident that the way WEP network encryption (and the algorithm behind it) was applied to router infrastructure is weak and nowhere near impervious to cracking attacks, so it is best to set up your password using WPA or WPA2 encryption.

While both of these configurations are a good start, it’s also important to understand that – when it comes to information security – routers are just generally bad. One of the main reasons for this is crummy/out of date default firmware which comes loaded onto the router. This is the “brains” of the operation in terms of the way your router functions. Chances are, you will be better off flashing a custom open-source firmware to your router. While this both sounds and can actually be a bit complicated, there are currently a wide varitey of guides and other resources for flashing these firmwares to many individual routers out there on the web, and it is most dfinitely worth doing.After you’ve gone through with it, you won’t only have a more secure and robust firmware configuration, but you’ll probably also find that your router performance has improved a bit.

One of the more popular third-party firmwares is DD-WRT. The official DD-WRT site has a “Router Database” page where you can look up your router model (this should be very apparent on the box it came in, as well as the router itself) and see if there is a version of DD-WRT firmware for flashing to it. From there, you will have to follow the instructions very carefully. I cannot stress this enough, as an improper flashing could result in bricking your router – or in other words, reducing it to an oversized paperweight. If your current router cannot be found in the “Router Database”, it is likely that it’s not supported by DD-WRT (at least not yet).

However, there a few other recommended open source firmware projects, similar to DD-WRT. One of these is called OpenWRT and the other is Tomato. You can find similar instructions sets for different routers by navigating either of their officialsites. At bare minimum, if your router does not support any of the three previously menionted versions of firmware, you should at least make sure that you have the latest version of firmware offered by your router’s company. Since this type of thing can’t update itself, you need to remain vigilant.

Finally, if you really want to put your network security to the test, you can use tools like BackTrack or Kali Linux to try and poke holes in your own network in order to see how secure it really is. Both require a bit of learning, but the manual included within their interfaces provide a good amount of help and throwing yourself into things is always an adventurous option. Here’s an example of how one of these easily available Linux systems (including wireless monitoring & brute force dictionary cracking programs) can show you how easy it might be to crack even a WPA2 PSK encrypted router :

So, you made sure to set up a good password for your encrypted network, right? Are you sure its good enough? You might want to think again. While brute force will go through individual characters one-by-one in order to try and crack your password, a Dictionary Attack relies on a predetermined list of common phrases, making it quicker to crack if you’ve used a weak password. These lists can be derived from any text, really, from the bible to YouTube terms. In fact, here‘s how many passwords were cracked using that method. This is often much more effective and very commonly used.

So, now is probably a good time to talk about general password security techniques. In 2012, the number one most commonly used password was… “Password”. If you’re doing this, stop. That applies to password choices for any account, regardless of what value you might apply to the data it holds.

Now, I know I just mentioned how dictionary attacks are getting more complex, but don’t let that take a key factor of password security away: use randomness and length for extra strength. When I say randomness, I mean randomness. It’s best to stray away from words you would find in a dictionary. This doesn’t mean you need to use made up words, however. There are also a few interesting techniques that will suffice. You could try and create your a so called ‘personal algorithm’, for example. This could be a long phrase with every sixth letter subbed out for your cat’s birth month followed by year as you go left to right. Try and think of something creative along these lines.

There are also many tools that can help you generate a complex password (see KeePass later). One of the more powerful methods for creating passphrases that you might actually even be able to memorize is using something called Diceware. All you need here is a set of dice and to follow these instructions carefully. Keep in mind, using the passphrases generated by this method is probably best for a master passphrase of some sort – perhaps the passphrase for a password manager (containing all of your other pseudo-randomly-generated account passwords). For an even extra layer of security (or tin-foil hat peace of mind), you can mix other characters into these diceware phrases.

So now you have a suitable password.. but how can you remember others safely? Before you reach for that sticky note, try and think in a more security minded way. If you have a password that is too long and contrived to remember in its entirety, or you are using an algorithm that inserts characters or numbers in within words or phrases, why not write down the two separately and remember you’ve done so? That way, you are not putting the full raw password to be found in one place.

Besides physically storing your passwords on paper or by other non-digital means, there are also a few programs you can use if you feel comfortable enough storing your passwords on a computer. Password managers (sometimes referred to as “password lockers”) are programs that enable you to store all of your passwords that you use for other applications and clients in one place, which is also safely protected by a (hopefully long & strong!) password of your choice.

Personally, I recommend you stray away from using browser-based password managers, as they store their information on servers that can be exposed and generally cost a bit more. As an alternative, there are three free desktop clients that I recommend choosing from: Password Safe, KeePass and KeePassX. These are great open source options that provide strong encryption algorithms (all can use AES-256 and are capable of other variations) for to secure the password databases. They all come with built in password generators as well.

If you’re interested in checking out some other free options for desktop clients, this is a nice little list you can click through.

One last word of advice regarding password security: DON’T choose ‘remember my password’ or save any passwords in your browser, or save them for anything you’re doing, really. It may be annoying to manually put them in at times, but its better to take the time with that than having someone with access to your machine also have extremely easy access to your passwords.

BROWSING & RESEARCH:

It’s become clear that there is a plethora of snooping, tracking, and hijacking technology out there to invade your computer, reveal your identity, and/or exploit weaknesses through browsers in order to take control of your computer and its contents. In many countries with totalitarian regimes, investigative journalists (and journalists in general, really) in particular have been targeted by their government as a threat to be silenced. Many who have been caught have been imprisoned, tortured, or even killed by their own governments. The means of finding these individuals and silencing them has become more convenient due to increases in communications via the internet, rather it be email, skype, social media platforms, or chat clients.

More than ever, it is important for investigative journalists to use tools in order to secure their identity as they go forth with research for their projects. While proxies are a viable option to mask you as if you are working from a different location, many of them are far from impervious to being cracked and there are other identifiers (such as MAC Addresses) that can reveal an even more detailed information about a user.

For a thin layer of protection, there is proxies As mentioned earlier, the only thing this will protect you from is having your location revealed by your actual IP address. A proxy will give you a different IP address, and route traffic through a proxy server. This can also serve as a good tool to bypass censorship of certain websites, which are sometimes restricted in certain countries or blocked by other means. However, running traffic through a single proxy should not be considered inherently secure. It is much better to use other more structurally robust anonymoizing tools, which will be mentioned shortly.

While browsing sites, you might notice that many URLs in the browser bar start with HTTP:// which stand for Hypertext Transfer Protocol.Without getting to bogged down in the details of HTTP, for the context of this post you will mostly need to keep in mind that it is a protocol that handles the requests (and the information you input) on a site and deals out the appropriate response to each correlating request. However, HTTP can be very insecure, especially if you’re logging in credentials or dealing with other personal information on an HTTP site while connected to an open network. While there is no way for you yourself to use an alternative to HTTP-only for sites you’re working with (sites that don’t have the proper encryption enabled) in order to process information more securely, there are ways to make sure you are working under sites with a layer of protection. The most practical is to make sure you are using sites that are ran with a more secure transfer protocol; HTTPS. Hypertext Transfer Protocol Secure is a layer of encryption over HTTP that enables interactions on a site with HTTPS to be much more secure than HTTP. It’s an imperative first line of defense against eavesdropping and site trickery such as Man-in-the-middle attacks while browsing.

The always wonderful Electronic Frontier Foundation worked together to create a browser plugin titled ‘HTTPS Everywhere‘ in order to encourage safer browsing habits. The plugin can be installed as an add-on or extension for both Firefox and Chrome. Here is a quick summary from EFF on what HTTPS Everywhere was created for:

Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by using a clever technology to rewrite requests to these sites to HTTPS.

In other words, HTTPS Eveywhere will help ensure that you are browsing and communicating through your browser with HTTPS whenever possible, regardless if it not the default for a site you are on, thus securing your logins and other susceptible transactions. If you’re really worried and want to put an even taller tin-foil hat on, there are addons available that will ensure that you can only connect to encrypted sites, which do this by refusing to connect to any HTTP sites. Keep in mind, using this tool you will not be able to connect to sites that have absolutely no HTTPS enabled. I have also been told that using this specific addon with HTTPS Everywhere can cause the latter to have issues operating.

But what about traffic and actions on sites that don’t have HTTPS enabled? This is where we need to seek out another separate tool to protect our traffic. In times like these, we will do good to have a Virtual Private Network (VPN) at work. A VPN is often referred to as an encrypted “tunnel” your traffic will be transported through, so that your actions are not “out in the open”, or in other words, visible and easily understood by those who might be monitoring the network you are connected to. This is because while most of the outgoing and incoming network packets attributes (and often content, as well) are in plaintext. Most VPNs will transfer that packet by encapsulating it within another packet and streamed to where it needs to go within the VPN tunnel. The key is that nothing inside the tunnel can be seen by outside adversaries. VPNs are perhaps the most convenient and ideal solution for protection against MitM attacks.

Lots of VPNs will use an excellent security protocol known as IPsec to both authenticate and encrypt network traffic through their tunnels. It signs your packets before it sends them through to their endpoint, where it verifies that they have not been changed before dumping them off. Your traffic and actions are much safer and more secure using a VPN than they would be with a normal connection.

You can use your VPN while you’re connected to just about any wireless network, not just your own home network or the network that the VPN was initially installed onto. There are many VPN’s that come with software/a user interface that helps make it easier to manage and ensure that you are in fact connected through the VPN as you are browsing or doing anything. Hamachi’s Log Me In is one example of a very simple VPN. However, it must again be stressed, you should keep vigilant watch for VPNs that sound sketchy and make exaggerated promises (beware the snake-oil salesmen). It should also be said that Hamachi’s VPN is closed source, therefore its code has not been properly scrutinized by security professionals and other communities. Many believe that some of the VPNs that are the most secure are ones that both promise and show proof that they do not log your initial IP address and/or other personal information on their servers, along with being open source.

For a better understanding of the process behind VPN traffic tunneling, this Wikipedia page provides a great step-by-step example.

Another great option is to disable scripts from running on your browser… completely. By doing this, sites are much less likely to run malicious code on your computer. Some sites may not display as well after disabling scripting, but you will be safer this way. This is an appropriate trade-off under circumstances. Dynamic scripts and codes on pages triggered by things like JavaScript can be used to infect your computer when they are triggered upon even the initial visit of a site. There are several different addons and extensions available across multiple browsers, but I’ve personally found that NoScript works best for Firefox and ScriptSafe for does the job for Chrome.

Example of certain scrips being blocked from running on a webpage using the NoScript plugin (Firefox).

Even with scripting out of the picture, there is still the possibility of eavesdropping and other attacks through user cookies. While cookies are mostly used for tracking previous site activity, logins, and third party advertising, they can still be utilized in many ways by attackers. It’s safe to say that having as much control over what cookies and tracking is being placed against you is your best bet. While this will require similar extensive management as script permissions with the previously mentioned addons, it is well worth it, considering that there are ways a third party can even exploit your HTTPS cookies. Again, I recommend some addons that work with most of the popular browsers today, and in the case of cookie-blocking, they are Ghostery and The EFF’s Privacy Badger project. Both of these plugins work in a very similar way to each other, where configuration gives you the option of which lists of cookies you would like to block, and if you would like to see what is being blocked by the plugin per each page you visit. The one advantage Privacy Badger seems to have over Ghostery is the fact that it is capable of blocking a newly popularized and confoundingly annoying type of user tracking technology called Canvas Fingerprinting. Add the Ublock Origin browser plugin to the equation, and you’ll feel a lot better about your daily browsing habits.

Another secure tool for browsing and researching combines a proxy-type setup, script blocking, HTTPS when possible, cookie-evasion tools, and a technical VPN-esque atmosphere with other quirks. This useful tool is the increasingly-popular Tor browser (stands for “The Onion Router”).

“How Tor works”

Tor has long been a popular tool for journalists and bloggers, especially in countries where government surveillance runs rampant. While there are several versions of the Tor, perhaps the most popular and easiest to use is the Tor Browser Bundle. The bundle can be quickly downloaded for Windows, Mac, and Linux based operating systems. There are several comprehensive guides to using and configuring Tor available online, but I’ve found that this one (unofficial) is both approachable and detailed for beginners.

While Tor offers and easily configurable private browser – especially with the Browser Bundle – it is highly encouraged that you go further to understand how the tool operates, especially for dismissing common misconceptions published concerning the onion router and its network. The following video is a bit longer, but a very informative and relatively accessible explanation of the Tor network:

I really do urge you to listen to the entire thing. Note one of the main points of the speech, perhaps the most important part to remember:

“Tor was originally designed to hide where you are and who you’re talking to. So Tor can’t hide the fact that you’re talking, how much you’re talking, or when you’re talking, but Tor can give you location anonymity.”

Here is another video that stresses the capabilities of the Tor Browser:

Note, once again, the points on the slides highlighting the features of the tool (this part begins around 8m 35s):

TOR BROWSER CAN

Prevent the ISP [Internet Service Provider] or other folks on the wifi at a cafe from knowing which sites you’re visiting

Prevent a site you’re visiting from knowing who you are (unless you tell them)

Prevent a site you’re visiting from knowing that you’re the same person who visited them yesterday

I cannot stress this enough: while Tor should be considered an anonymity tool, it is not necessarily a security tool.

Following this understanding, another risk to be aware of while using Tor is that someone can set up an exit relay to log traffic. While tor traffic is still encrypted, any traffic over HTTP sites will be visible by the individual(s) logging with the exit node is question. This means that they will see most sites you are visiting over the “clearnet”. Having said this, using Tor is still better than using a regular browser in terms of general privacy. For more on how Tor works, please refer to the second half of this thorough Security Now! episode.

While the Browser Bundle is the easiest to use, it is also the least customizable, and some might say, the least secure. Since Tor is completely open source, and therefore sharing and building off its model is encouraged, there have been other instances of software developments using the Tor network. One of the more interesting ones I’ve come across has been the Advanced Onion Router, otherwise known as ‘AdVor’ AdVor claims to let you toggle most of the programs on your computer that connect to a network and run it them using the Tor network as a proxy. I honestly haven’t played around with this program much, so I don’t personally know how much it can be trusted.

Perhaps the most ideal tool for using Tor to put a lock on your identity is found within a customized bootable operating system on USB. There are several customized portable “distros” available that have been created by security experts, most being open-source and scrutinized by security experts as well as anyone else savvy with inner workings of operating systems, their programs, and coding.

Tails is perhaps the most impressive of these distros I have come across (so far). Tails stands for ‘The Amnesic Incognito Live System’, and lives up to its name with what it has under the hood. It also runs internet traffic through the Tor network by default. As a bootable USB, Tails can be used on any computer by enabling it to boot the loaded USB from your BIOS settings (don’t worry, this is pretty easy, see method 2 of 2 here) once you’ve installed the disc image to a spare USB.

Once you’ve got the Tails live system running, you’ll notice that the interface is pretty agreeable. You’ll find all the necessary writing tools through the ‘Applications’ drop-down menu. Tails is pre-loaded with LibreOffice suite, an open-source alternative to Microsoft Office that is easy to use and similar to what you might be used to. In terms of multimedia it also includes open source programs to view and edit video files and also listen to and edit audio files.

A screenshot of the Tails Linux operating system.

Besides the necessary software you’ll have, Tails prides itself more in being loaded with ways to use secure communication anonymizing tools. Lets say a source wants to send you a tip or bit of information, but is worried that someone might be watching his digital activities. When you’re both using the Tails system, you can both more securely log on to your own personal machines, connect to the Tor network, and use email or instant messaging to communicate and exchange the files.

But say your source is an extra careful one, and he/she is paranoid that there will be underlying information that could link to exposing his/her identity in the files (after all, metadata is very telling). Luckily for both of you, Tails includes metadata-scrubbing software and something known as a Metadata Anonymization Tool (MAT). Running the source’s files through these processes to scrub and/or anonymize any possible underlying identifiers will most likely put their mind at ease.

Tails is basically a very secure and functional system for people who need their data to be kept under lock, so it is ideal for journalists. Take it from Tor member/developer Jacob Appelbaum:

“If you’re a journalist and you’re not using Tails,.. you should probably be using Tails, unless you really know what you’re doing.”

But regardless of how you are using Tor, you should make sure to be very vigilant with what data you are choosing to type in while using it. While Tor is an extremely good anonymity and security tool, it is not impervious to attacks. Many experts encourage people to be hesitant in logging into any of the accounts or services they would normally use, as they’d not necessarily trust Tor’s exit nodes (again, see the Defcon video posted above!) If you do plan on typing in any personal information while using Tor, you should make absolutely sure that you are doing so on sites with HTTPS connections as default. The Electronic Frontier Foundation has a great page explaining how HTTPS serves as a very powerful extra layer of protection while using Tor.

Tails is not the only robust privacy/security based operating system, however. In fact there are quite a few others that can be found across the web. Having said that, I find Tails to be the most easy to use – which is very important, understanding how most security and cryptography slip-ups occur due to user error – which is why I recommend it before the use of other systems. There are certain cases why you might want to use others, and so I feel it is necessary to mention to other operating systems with user security set as the priority.

The first of these two is Whonix. Whonix is not an operating system you can install on your desktop or laptop in the same manner you would install a standard Windows or Mac OS, and for good reason. Instead, the Whonix system relies on two different virtual machines that work in conjunction with each other to keep the user secure (remember how I mentioned “sandboxed VM systems” earlier? this is an example). These two VMs are known as the ‘Whonix-Gateway‘ and the ‘Whonix-Workstation’. You should open and configure these (in the order I have writen them) in the Virtual Machine Client of your choice (VirtualBox is pretty easy to use) They should function together properly from “out of the box”. Please remember to check the digital signatures of the two Whonix VMs with the techniques I have mentioned earlier before using them to browse or do anything serious.

Importing the Whonix VMs into VirtualBox.

The beauty of Whonix is its ability to be booted up as virtual machines in the main operating system of your choice. This means you could be using just about any Windows, Mac, or Linux OS as your primary workspace while deciding when you want to use Whonix within it to do heavy work that needs to be secured. Add the ability of file encryption and you have a pretty secure and private ‘operating system within an operating system’.

Whonix follows the networking logic of the Tails OS, in the sense that it ensures that all internet traffic is only ran through Tor. Although a difference with the Whonix System is that there is no way the user ca choose to disable this feature. It is the default and the only option here, ensuring internet anonymity. It also provides extra padding of unique identifiers such as your MAC Address, and protects you from even some of the nastiest malware out to ruin your day. Here is a nice tutorial for setting up the Whonix VMs using the method I have expressed. You can also read more about Whonix from their website (downloads also provided there) as well as this informative Linux zine article.

The second security-minded operating system is one that also relies extremely heavily on the use of virtual machines, and it is called Qubes OS. Individuals behind the development of Qubes state clearly on its official website‘s FAQ section that the ‘main concept’ behind Qubes OS is “To build security on the ‘Security by Isolation’ principle”. It does this through, you guessed it, virtual machines. But instead of using only two specifically designed VMs like Whonix would, Qubes can use three.. or five, or ten, for that matter. Basically, the OS lets you build a number of sandboxes and choose which applications/programs you want to be isolating in each one. See the graphic below, for instance:

An example of Qubes OS’s ‘Trusted & Secure Hypervisor’ at work.

This way, if there something goes wrong in one sandbox – say, for instance, one you’ve reserved for researching with your favorite web browser gets infected – it will be isolated from the rest of the system, keeping everything else you are working on safe. Qubes does not run on the Tor network by default though, like Whonix and Tails would. Although, it wouldn’t be a bad idea to install the Tor Browser Bundle on Qubes OS and use it as your default web browser in its own isolated VM.

While Qubes offers a great way to organize and secure your operating system, it isn’t the most intuitive system out there. It’s going to take some getting used to, but it will surely aid you in your work more than the standard operating system configuration would. You can download the free operating system here. Also, please read technologist Micah Lee‘s excellent (and much more in-depth) explanation of Qubes if you’re interested in the software.

Regardless of which OS you are using, you’re going to be using the internet for research. And when you’re browsing the internet and looking for information on a specific matters, you’ll almost certainly end up using a search engine. While the phrase “Google it” probably immediately comes to mind, let’s take a step back and think in a privacy-minded way. While Google is clearly the most widely used and accessible engine available for use, this comes with a big trade-off. Google effectively logs your IP Address with search history, cookies you through your searches with Google Analytics, DoubleClick and other tracking software, and if you are logged into your Google (or Gmail) while searching, this is all being identified and aligned with your user account.

If somehow Google user/search data is obtained by a third party (rather it was planned or not) who decides they want to target users based upon what they’ve made searches for, the information present allows them to quickly start rounding up IP Addresses.

There are a couple alternatives to Google and MSN in terms of searching the web, and they both offer a much more user-centric policy in terms of tracking and logging. The first of these two pages which act as privacy preserving alternatives is StartPage. This particular search site offers you the results you would get from Google.com search without the IP/other data suction that would occur on their URL, which it claims to do by actually fetching the results from Google while omitting the data attached to the search query.

When you do a search from DuckDuckGo’s website or one of its mobile apps, it doesn’t know who you are. There are no user accounts. Your IP address isn’t logged by default. The site doesn’t use search cookies to keep track of what you do over time or where else you go online. It doesn’t save your search history. When you click on a link in DuckDuckGo’s results, those websites won’t see which search terms you used. The company even has its own Tor exit relay, allowing Tor users to search DuckDuckGo with less of a performance lag.

It should be noted that StartPage is also “Tor-friendly”. In fact, it is currently the default search engine in the Tor browser. Both of these search engines have mobilefriendly sites as well. For a closer look on how different browser-based search engines stack up in terms of privacy you can take a look at this Wikipedia comparison sheet.

As a final section of browsing/researching habits, we need to talk about open wireless access points. Yes, journalists like to get work done in their favorite coffee shops or in an airport terminal while waiting for their plane to arrive. But now that you’ve seen how easy it is for someone to sniff your traffic off of an unencrypted wireless access point, do you think this is as a safe practice? VPN’s help preventing snooping while connected to public wifi, as do other aforementioned tools such as communications and research through the Tor network, bootable anonymous systems like Tails, etc.

The bottom line is this: If you are working while connected to an unsecured public wireless connection, use extreme security precautions while doing so, and think very hard if its worth the risk before even connecting to it securely. A best practice when dealing with a source’s material or any delicate documents is to wait until you are using a connection you know is secure to work with them.

EMAIL:

We need to talk about email. So much so, that I decided to give the subject its own section outside of the other methods of digital communication. Email is very broken in terms of security. This is why there are so many ventures into creating a secure email platform. Have you been reading up on the Lavabit story lately? Well it seems like despite their standing up to the DOJ and shutting down rather than handing data over (they were forced to hand over their SSL keys anyways), their system was far from secure (despite their promises). So when even the most renowned services are coming up broken, what’s a security-minded investigative journalist to do? There isn’t necessarily a fine-cut answer to this, but it is important to remember that, when properly implemented, encryption works. And this definitely applies to e-mail.

A good first line of defense that will help you lock down email communications and prevent snooping is ensuring that both your email account and the email account you are sending messages to enables TLS, or Transport Layer Security. TLS is a security protocol for internet based traffic that uses cryptographic keys in order to verify and encrypt the data between, in this particular context, people sending emails to each other. There is a wonderful website I’ve found called CheckTLS that allows you to punch in an email address and runs a test (you can view the process done during the test for yourself on the results page) to show you if the email address does or does not have TLS implemented on its server(s).

An example of a results table from TLSCheck.com

[MENTION – S/MIME Non-textual message pieces, such as attachments,]

One of the most widely used applications for email security is Pretty Good Privacy, or PGP. This encryption scheme uses both symmetric key cryptography and public key cryptography, which in this case consists of both a public and private key for each user. It allows users to send emails to each other in ciphertext which they can decrypt upon opening if they have each other’s public keys. The process goes as follows (This example is a derivative from one that Steve Gibson of GRC gave on his Security Now! Padcast):

I Encrypt with my private Key, then encrypt it a second time with your public key. You receive it, and you have to know what was done with it to reverse the process. You decrypt it with your private key, then you decrypt it with my public key.

Each of these public keys is bound, in a way, to the email address it was created for. That means the public key for name@service.com should always be the same. You encrypt something using a PGP public key and nobody but you can decrypt it. This is because only you have the the private key that matches to it. It can be intercepted by a MitM attack, but if it were changed in the process, it would not decrypt properly.

Here is an informative visual demonstration on how the Diffie-Hellman key exchange technology used within PGP works:

One really neat aspect of PGP is that your ciphertext won’t even give away any details on the length of the plaintext encrypted within the message, as PGP uses block ciphers to encrypt data. If you are interested on learning more about the workings of public key cryptography, there are many resources out there, but for the audio inclined, the Security Now podcast has a great episode covering the topic available here.

When it comes to the implementation of PGP, it can be very tricky. When Edward Snowden reached out to journalists at The Guardian claiming he had a trove of Government Agency surveillance documents highlighting programs he deemed unconstitutional, he desperately wanted to communicate through PGP. The problem was that Glenn Greenwald, a very notable civil rights and national security journalist, was the one he initially reached out to. Greenwald is a great journalist, by all means, but at the time he didn’t have any software installed to handle this request, nor was he able to when provided with instructions from Snowden himself. The story was almost cast as a lower priority due to this issue, but instead, Greenwald reached out to a fellow journo, Laura Poitras, who was known to be very savvy in this regard. Poitras is the reason the Snowden files were distributed to the press as we continue to see them come out, and should be held in high regard.

The moral of this story isn’t that journalists like Greenwald should be shunned for not implementing PGP immediately, but rather that PGP is not easy to implement and execute properly for people who aren’t savvy hacker types – this includes journalists (like myself). Luckily, there are some pieces of software that have been created to make your life easier.

To start, regardless of your operating system, you are going to need a program to generate your PGP keys. For Windows, I’ve found GPG4Win to do the trick. As for Macintosh, I hear that GPGTools works well. Both of these tools stem from the GnuPG project, implementing OpenPGP standards (don’t worry if this is confusing). Here are step-by-step instructions for creating keys for Windows and Mac using the corresponding tools.

Now, once you have your public and private keys successfully generated and assigned to your desired email address, its time to implement them to be used with a mail client. Unfortunately, not all email software is able to run PGP, but Mozilla’s Thunderbird does! If you wish to download or already have Thunderbird running on Windows, you can download an extension that will get PGP running with it, aptly titled Enigmail. Enigmail is easy to install as a Thunderbird extension for both Windows and Mac.

If you’re lost at this point (or were at any point, for that matter) or something is not working, you might want to uninstall everything and start from scratch with a new keypair. Here is some other guides to setting up PGP as I have mentioned it for Windows and Mac. These will also serve as examples of how to send PGP encrypted messages to others who have the variations of the encryption method configured.

OpenPGP, Enigmail, and Thunderbird – A trifecta of tools for easy email security.

Make sure to NEVER share your private PGP key with anyone, and keep it somewhere very safe. If someone has your private key, you’re cooked. If you ever suspect that is the case, create a new one immediately and let everyone you’ve been communicating with know that it has in fact been compromised (through a different secure channel). You should also make sure not only to always encrypt delicate messages, but also to sign them. Signing a PGP message is an important authentication step, used to ensure not only that the message was actually sent by the person it claims to be from, but also to make any foreign alterations – made after the message was sent and before it was received – apparent.

OTHER COMMUNICATIONS:

There is nothing worse for a journalist to have a confidential source deterred or exposed. In the name of investigative journalism, it is imperative that sources are dealt with properly in order to keep them safe and carry on their information in a proper conveyance, all so that the public can benefit from it.

Instant messaging is obviously a very popular method of digital communication, as it is more of a real-time way of talking to another person or group of people. So how can we put a security lid on it? Thanks to some trusty cypherpunks, an encryption system for instant messaging called OTR (Off The Record) exists. OTR is not only very secure, but it is a lot easier to configure compared to the likes of PGP.

Good luck trying to gain much understanding of this archived OTR conversation.

The key to verifying that the person you are communicating with is who he or she actually claims to be is done through a fingerprint. Everyone using OTR has a fingerprint generated for themselves. Like with PGP’s public key, You can do what you want to the public fingerprint; post it on your website, include it in your email, etc. This is the fingerprint you will use to verify the source or colleague you art chatting with as well, and this should be done before sharing anything sensitive. If you and your source already both have PGP set up, maybe you can exchange these through a PGP-encrypted/signed email to even further ensure its the real un-tampered-with key from each of you. OTR also features what’s known as perfect forward secrecy, so that if you ever happen to lose control of your private keys, none of your previous conversations with others can be compromised. Although it still must be said, please be careful with your keys.

You can use OTR with a few popular chat clients such as Pidgin, Miranda, and Trillian. Here is a list of OTR-compatible operating systems, software, and chat clients.

Having said this, you’ll have to put a lot of work in to get things properly configured with most of the previously mentioned chat clients in order for OTR to be fully functioning. Luckily, the Tor Project has recently developed a very strong privacy-concious chat client of their own – Tor Messenger. This easy to use client allows you to generate a new chat account with a password of your choice, connect solely through the tor network, and generate/use an OTR fingerprint off the bat. Although this client is only in its beta version at the moment, I highly recommend using it with OTR for most sensetive communication needs.

It’s very easy for government and corporate surveillance agencies to track and surveille your mobile habits. Whether they’re written and sent on your personal computer, your laptop, tablet, or cell phone, there is always going to be a way. This is truly a serious danger in regime controlled countries that practically target terrorists and journalists in the same way. Luckily, there are tools and practices similar to those mentioned in the previous sections that you can use in order to make these communications more secure.

Before even delving into clever apps for your phone and other mobile tech & security measures, let’s think of cell phone security on a big-picture level for a minute. Do you really think that you should be sending sensitive text messages or emails to an important source or colleague on a tiny handheld computer that also makes phone calls? Probably not. Or – just like with any other machine in this case – at least not without some form of strong encryption.

If you search ‘encryption’ in the Google Play Store or the Apple App Store, you’ll find a ton of different items that promise you “safety!” and “privacy!”. As I mentioned earlier, beware the “snake oil” salesman. There seems to be an almost tragic amount of hyperbolic privacy marketing with smart phone apps these days (example: Snapchat). You need to make sure to do the research before installing a bunch of applications for your phone that claim to be “secure” and having sensitive communications with them.

In terms of Android phones, there are a few strong applications that will aid you in secure communications. Perhaps one of the most notable is WhipserSystems‘ Signal. Signal allows both iOS and Droid users to exchange encrypted text messages with each other, as long as both of the individuals have the applications installed on their smartphones. What’s even more impressive is its encrypted voice capabilties, allowing users to hear eachothers voices as they would on the normal phone app, however taking extra steps to make sure that the channels the call is going through are less succesptible to MiTMs.

TextSecure for Android, for Encrypted SMS.

Signal is a great program which allows you to send very securely encrypted messages without the trade-off of having to deal with too complex of a configuration. In fact, once you and the person you are communicating with are both set up through TextSecure and have initiated and exchange, it feels like you are using the default text message application for Android. A nice breath of fresh simplicity within security.

Remember, for this app you can only use the secure communication control if the other person has the app installed and is using it during the conversation as well, but it does work cross-OS. Signal is Free Open Source Software, and its entire source code is viewable by the general public.

Outside of the Signal, there seems to be a much smaller bucket of reliable iOS security apps for communications purposes. Having said that, I have found Chatsecure to be a nice option, especially since it supports OTR encryption.

In terms of browsing the internet on your phone, I would recommend using Tor when you can. Luckily there is an app for both Droids and iPhones to harness the power of the onion router. For Android, you will find Orbot to do the trick. Once you install Orbot and connect to the Tor network, you should use the Orweb browser app in conjunction with Orbot’s connection to surf the web.

On the iPhone, the only browser I’ve found that connects to the Tor network by default is Mike Tigas‘ Onion Browser. Luckily, this app is very easy to use, as all you have to do to connect to the network is install and open. Once you do this, you will see the app going through the necessary connection steps.

All in all, I don’t recommend the heavy use of your cell phone. There seems to be a lot less tweaking you can do with these devices to ensure secure connectivity and prevent eavesdropping.

DATA STORAGE/TRANSFER:

Storing your data and moving it along from one device to another is just as important as communications and browsing in terms of security. If your machine has been infiltrated or falls into the hands of someone who wants to do you harm, your data needs to be ready to stand up against eavesdroppers and other sorts of attackers. This can, again, be accomplished through means of strong encryption tools and techniques.

One of the most popular pieces of data encryption software is called Truecrypt.

Before I delve too deep into this tool, it should be known that development has ceased for the project. Why? – we’re all kind of left scratching our heads about this (there have been plenty of entertaining conspiracy theories, of course). But whatever the case is, the latest version of a forked tool of known as VeraCrypt remains safe and trusted for the time being, built by those wishing to preserve the project past its original creators.

As there was a major flaw found in the last once-safe version of Truecrypt, if you would like to use Truecrypt, please use VeraCrypt instead. If you’re not interseted, there are some similar alternativesavailable.

The three main capabilities VeraCrypt gives you upon installation which you should focus on are the follows:

Main features:

– Creates a virtual encrypted disk within a file and mounts it as a real disk.
– Encrypts an entire partition or storage device such as USB flash drive or hard drive.
– Encrypts a partition or drive where Windows is installed (pre-boot authentication).

What you should take away from this is that you can use the software in order to keep your files encrypted (and safe) in three different ways: through a “container” file of your choosing which can be stored in the file system on your computer/hard drive/removable device, through a full encrypted USB device or portable hard drive, and/or through your operating system with full system encryption. Each one is relatively simple to configure, and mounting them through Truecrypt after they have been created can be as simple as either selecting it from the main program window and hitting the ‘Mount’ button on the bottom, or even dragging and dropping the “container” file or portable drive into the desired drive line and then mounting it.

VeraCrypt’s interface on Windows 8

VeraCrypt recognizes both actual and encrypted drives and also encrypted file containers as drives within its program. You can select the specific drive or folder you want to mount in the interface and put in your password in order to open the file. In order to open the volumes and file containers you will need to input your already chosen password each time, and Truecrypt uses strong encryption algorithms, making the files you’ve encrypted hard to break for those without your credentials.

What’s nice is that these VeraCrypt volumes can be placed on just about and portable device, from a CD to a flash drive, and to anyone without the password they will seem like a random unknown file. This makes it possible to physically have encrypted data exchanged in place of sending it over digital channels. What’s even more interesting is the fact that you can name your file as any sort of extensions (i.e, .mp3, .avi, .xml).

Another noteworthy aspect of VeraCrypt is the ability to create what the call a Hidden Volume. With Hidden Volumes, a partition (basically, a segment) of either the drive or the container is selected, where-in you will be asked to put seemingly innocuous files, perhaps tax looking documents and other financial files. You will be prompted to create a password for this partition. Next, you will be asked to create another different partition. This one will be for the actual files you want to keep hidden – say, for example, some evidence of money laundering a Wall Street whistleblower has provided you with. You will again be prompted to create another separate password for this new partition (remember to make sure its a strong one).

With all these great offerings, we still need to remain vigilant in understanding that VeraCrypt has limitations. There is a great section on their site that lists what Truecrypt does not do (many of these points apply to VeraCrypt, as much of it is based on Truecrypt’s source). Here is one example that should be remembered:

“Truecrypt does notsecure any data on the computer if an attacker has physical access to the computer before or while Truecrypt is running on it.”

This basically stresses ‘don’t leave your computer on with a VeraCrypt drive/volume still mounted while you’re not there to pull the plug on it under dire circumstances’. Or, on a more tinfoil hat level, don’t leave your computer on while you’re not with it ever.

Speaking of tinfoil hats, there is another method which may seem like overkill that is used to protect your files or hardware from being corrupted or attacked, and it involves cutting out your internet connectivity.. completely… from the get-go. This method, called Air Gapping, follows the logic that since most attacks come from malware that is spread or initiated from one (or many) networked computer or another, and since surveillance of activities is also done against internet-based habits, the best way to avoid any of this is to be doing delicate work with sensitive information on a machine that is and will never possibly be connected to the internet in any way. However, as security expert Bruce Schneierexplains, this is more complicated than it may sound.

It’s expensive and impractical for a lot of people to buy a whole extra computer to be used for air-gapping, but there are some cheaper alternatives. One of my favorite little items to come out in the past few years is the Raspberry Pi, a fully functioning computer that almost fits in the palms of your hands. You can buy one of these for around $50 and ensure that it doesn’t connect to any wireless networks (You can purchase a specific [maybe even cheaper?] model without any networking hardware in it, even). Keep in mind, you’ll need a spare monitor to hook it up at as well as a USB keyboard and mouse. Air-gapping means you should’t SSH into it from any other computers, unfortunately.

One pitfall of VeraCrypt that can be used to bring across another point about necessary security-based maintenance is that sensitive data, including keys, from Truecrypt remains unencrypted in the systems Random Access Memory (RAM). That’s just one reason why cleaning up disk space and RAM is important, along with the fact that it can your machine perform a bit quicker. A very slick open source tool available and recommended by experts to do some heavy cleaning is BleachBit. BleachBit enables you to do the following:

Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster. Better than free, BleachBit is open source.

The last point about being open source is the icing on the cake of this powerful piece of software. The following is a brief explanation of the interface as well as how to run it:

Clean-up programs like Bleachbit are important because – contrary to popular belief – simply dragging a file or folder to the recycling bin and emptying it does not fully make that data unrecoverable. If you have some info that a source has given you, let’s say in this case images proving a major political corruption scandal, someone who can gain access to your machine through either digital or physical attacks can still gain access to the images through a wide section of data recovery and/or digital forensics tools.

Although Recuva is hardly the most powerful piece of data recover software out there, it is a program that can help aid you if you have accidentally deleted files in a windows operating system. Try it yourself: delete an innocuous file on your computer right now and recover it with that tool. I bet you it will work!

Whether you are using Windows, Mac, Linux, or any other operating system, backing up your data is also definitely a good idea. When you do create a restore point or backup data file(s) of any kind, make sure to duplicate this process for extra safety. Save data backups in pairs and place them in multiple locations. However, it must also be said, that these need to reside in not only a safe but secure place. Here’s where Truecrypt can come in handy again. One your files are in the optimal destination, create a TrueCrypt container to put them in. Or, you could always encrypt some USBs and send them there.

Finally, there is a long term concern that you should keep in mind, and it has a lot less about concentrated attacks or surveillance on your hardware or data storage, but rather with a more natural problem. This is what those in computing refer to as data corruption. Keeping your data clean and healthy is a very important practice. For hard drives, if you notice that some data is missing, incomplete, or not functioning properly, this may be due to what’s known as a bad sector or sectors. Or perhaps bit rot – the slow decay of storage media – could even be the culprit. This is very common for hard drives, especially ones that have been in operation for years. There is plenty of software out there to maintain drives, but I have been most impressed by GRC’s SpinRite, which is one of the few programs I’ve ever heard of that not only detects problems with bits and sectors in drives, but most oftenly fixes them. At $89, it could be a bit of damage to your wallet, but it will serve you well through your lifetime in maintaining and repairing drives, and for that I would absolutely recommend it.

One last bit I’d like to mention is one that may seem unnecessary, but I feel it should be mentioned: if you find a USB around work (or anywhere), don’t just plug it into a computer with your information on it. Give it to your I.T. department or simply leave it be. Better safe than sorry.

____

After slewing through the various methods of protection, it is more important than anything to have a vigilant mindset. Understand that without using methods of encryption and security properly on both ends of communication, you might as well be using regular surveillance-prone methods of communication. It is also wise to understand that there is no “magical cover-all solution” offered in encryption. The field of cryptography is a dynamic one, where there are often developments of methods to break types of encryption. Where there are certain types of crypto that would require a even a supercomputer decades to crack, there are others that offer highly secured methods which fall on their face. Beware the closed-source provider of “Military grade encryption”, for their words can be an empty promise.

But most important is a mindset outside of security precautions. As a journalist, it is your duty to provide services and information for the public. Knowing this, you should be sure to use the aforementioned protections for good, not evil. Give a good name to these tools that so many have worked very hard on so that you could be provided with a greater sense of privacy. Go and do this by practicing a code of ethics that you have in some way or another sworn by. If you grew up on comic books like myself, I will give you the biggest cliche possible: remember what Uncle Ben said to Peter Parker before he passed away…

“With great power comes great responsibility.”

And remember, stay safe.

____

OTHER RESOURCES:

I believe it is very important for journalists and bloggers who want to practice information security to gain information from a plethora of sources. The following are some of the best security guides, websites, presentations, and other links I could find. Please use them, and don’t solely take any one article (including my own) as your only resource.

– Security Now! Podcast – I’ve name-dropped this through out this post, but I really do think it is the finest tech & security related podcast out there. If you’re interested and willing, you’ll learn a lot from Steve Gibson and Leo Laporte :: https://www.grc.com/securitynow.htm

– Bob Cromwell’s ‘Computer System and Network Security’ index page, with lots of links containing a ton of good information on digital security and how to understand/implement it :: http://www.cromwell-intl.com/security/

A NOTE: I am not and do not claim to be an expert in cryptography or Information Security, I am in fact someone who works in IT, a freelance journalist, and an advocate that takes the subjects seriously and devotes a lot of time to learning as much as I can on these topics. Please take this into consideration. I have spent a substantial amount of time working out this post, and am confident about it. However, this does not mean it shouldn’t come under any criticism. In fact, I would encourage anyone and everyone to criticize anything I have written. I will be making changes/additions/omissions to this post when necessary, and will try and document these changes within the comments section for transparency. Please feel free to leave any other comments, or questions there as well. You can also use the Internet Archive’s WayBack Machine if you want to see past changes (or if you don’t trust me). Thanks for reading!

13 responses to “A Digital Security Guide for Journalists: When Privacy is Essential”

UPDATE: I’ve added steps to verify checksums for Mac & Linux devices and have also included a list of other tools to use when dealing with checksums. See the first few paragraphs of the ‘Software and Hardware Habits’ section for full content.

UPDATE: Added a link [https://blog.torproject.org/blog/plaintext-over-tor-still-plaintext] in the beginning of the section highlighting Tor, in order to further stress this point (the following is content from the link):

“Any plaintext communication over the Internet is open to intercept. This is true if the transport mechanism is email, http, tor, or carrier pigeons. Tor does not magically encrypt the Internet from end to end. Tor does wrap your traffic in encrypted layers as it transports it through the Tor network”

I have also included a nice image (from the EFF) detailing how Tor functions.

UPDATE: I’ve deleted the last sentence of the paragraph on social engineering, which included this:

“even recently, with an unsuspected victim; America’s secret spy agency that specializes in surveillance tactics, the National Security Agency.”

This is due to a recent public Q&A session with Snowden himself, that helped dispute the original claims that he used social engineering tactics to get to NSA agency passwords and leak their files (first reported by Reuters, I believe).

UPDATE: I have added some overviews of two security minded operating systems (similar to Tails) in the later part of the Browsing & Research section. These two operating systems are Whonix and QubesOS. Both utilize sandboxing and other security measures via virtual machines.

UPDATE: I have written some additional words on the Tor Browser Bundle section, stressing exactly what Tor can do and also its limitations as a tool. This includes a new video from the Stanford Center for Internet & Society, which is definitely worth a watch for more info on Tor: https://www.youtube.com/watch?v=ij7nqNJ0Yhw